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(54) System and method for preventing differential power analysis attacks (DPA) on a 
cryptographic device 



(57) System and method for performing crypto- 
graphic operations include providing at least one proc- 
essor for performing cryptographic operations, memory 
coupled to the processor for use in performing the cryp- 
tographic operations; and a storage component coupled 
to the processor for storing and retrieving information 
calculated and used in the cryptographic operations. 



The processor, memory and storage component are se- 
curely enclosed whereby direct access to the crypto- 
graphic operations is prevented. A power source, which 
is external to the secure enclosure, is coupled to and 
supplies power to the processor, the memory and the 
storage component. Circuitry within the enclosure main- 
tains a constant power drain on the power source. 



FIG. 3 
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Description 

[0001] The present application shares common ele- 
ments of disclosure with commonly assigned, co-pend- 
ing European application number 99125306.3, filed De- 
cember 17, 1999 and titled SYSTEM AND METHOD 
FOR SUPPRESSING CONDUCTED EMISSIONS BY A 
CRYPTOGRAPHIC DEVICE and European application 

number , titled SYSTEM AND 

METHOD FOR SUPPRESSING CONDUCTED EMIS- 
SIONS BY A CRYPTOGRAPHIC DEVICE COMPRIS- 
ING AN INTEGRATED CIRCUIT, filed on even date 
herewith. 

[0002] The subject invention relates generally to sys- 
tems for carrying out cryptographic processes and, 
more particularly, to systems and methods for increas- 
ing the security of such systems; particularly such sys- 
tems used to verify the payment of postage. 
[0003] Cryptographic systems have many applica- 
tions both for the secure transmission of information and 
for the authentication and verification of the source of 
information. One such application is the verification of 
postage. 

[0004] The vast majority of the Posts around the world 
require prepayment for postal services provided by the 
Posts. Prepayment, however, requires verifiable evi- 
dence of paid postage. The traditional postage stamp is 
a prime example of such evidence. 
[0005] Another is the use of postage meters, which 
alleviate some shortcomings of postage stamps. The 
first postage meters were mechanical devices which se- 
curely coupled printing and accounting functions. The 
mechanical meter, which was perfected over the years, 
became a widespread basic business machine. The ac- 
counting and machine control functions were computer- 
ized when electronic postage meters were introduced 
in the late seventies. This enabled new features, includ- 
ing departmental accounting and computerized meter 
resetting. However, the fundamental security of postage 
evidencing remained the same; depending on two fea- 
tures: 1) physical security of the printing process, i.e., 
printing of postage evidence can not occur without ap- 
propriate accounting, and 2) forensic delegability, i.e., 
fraudulent postal indicia can be distinguished from legit- 
imate indicia. 

[0006] Coupling the printing and accounting mecha- 
nism within a secure tamper-evident enclosure provides 
physical security of printing. Inspection of the device 
normally reveals tampering. Effective forensic delega- 
bility of fraudulent postal indicia depends on non-avail- 
ability of alternative mechanisms suitable for forging in- 
dicia. Until recently, serious attempts to generate fraud- 
ulent indicia using an alternate printing mechanism were 
detectable, 

[0007] Today, the possible use of readily available, in- 
expensive computer-driven printers for printing postage 
evidence offer new opportunities for customer conven- 
ience and substantial cost advantages. However, the 



use of such printers requires new ways of verifying post- 
age evidence, as was first suggested in U. S. Patents 
4,641,347, 4,641,346, 4,757,537, and 4,775,246. At 
that time, it was realized that the security of postage ev- 
5 idencing depends on the security of the information 
printed in the indicium, including message authentica- 
tion and integrity. 

[0008] U. S. Patents 4,831,555 and 4,725,718 ex- 
tended this idea to unsecured printing of postage; dis- 

w closing the necessity that at least some of the informa- 
tion in the indicium must appear random to a party not 
in possession of some secret. Such random looking in- 
formation is commonly referred to as a digital token. 
[0009] The basis of postal revenue security in the dig- 

15 ital world is two new requirements: 1 ) security of the dig- 
ital token generating process, i.e., digital tokens can not 
be generated without appropriate accounting, and 2) au- 
tomatic delegability, i.e., fraudulent digital tokens can 
be detected by automatic means. 

20 [0010] A cryptographic transformation applied to se- 
lected data on the mailpiece produces the digital token. 
The data may include postage value, date, postal code 
of the geographical deposit area, recipient address in- 
formation, meter data, and piece count. Such data is 

25 commonly referred to as postal data. The secret used 
to generate the digital token is generally a cryptographic 
key held within the accounting device. A verifier, with 
access to a verifying key corresponding to the account- 
ing device secret, validates the digital token. Several 

30 cryptographic algorithms and protocols have been con- 
sidered for this purpose. U. S. Patent 4,853,961 de- 
scribes critical aspects of public-key cryptography for 
mailing applications. See Jose Pastor, CRYPTOPOST, 
A Universal Information-Based Franking System for Au- 

35 tomated Mail Processing , Proceedings of the Fourth Ad- 
vanced Technology Conference of the U. S. Postal Serv- 
ice, Vol. I, pp: 429-442, Nov. 1 990. See also Jose Pastor, 
CRYPTOPOST, A Cryptographic Application to Mail 
Processing, Journal of Cryptology, 3 (2), pp. 137-146, 

40 Nov. 1990. 

[0011] Two methods of presenting a postal verifier 
with fraudulent evidence of payment are a counterfeited 
indicium and a copied indicium. The former is an unpaid 
indicium that appears legitimate; in particular which will 

45 satisfy a cryptographic verification process. The latter is 
a replica of a legitimate paid indicium. Such counterfeit 
indicia will necessarily satisfy any cryptographic verifi- 
cation process and must be detected by other means; 
e.g. duplicate mailpiece numbers, etc., which form no 

so part of the present invention. The present invention ad- 
dresses the prevention of counterfeit indicium. 
[0012] A counterfeit indicium can be detected by ver- 
ifying the digital token. Verification proves that the digital 
token was generated by a cryptographic algorithm with 

55 access to the secret meter key. The information printed 
in the indicium and access to a verifying key are suffi- 
cient for the detection of counterfeited indicia as long as 
the secret meter key is confidential. In a public-key sys- 
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tern, a digital signature provides the data authentication 
and integrity check. In a symmetric-key system a mes- 
sage authentication code (MAC) provides a similar 
check. 

[0013] Assuming integrity of the verification software 
and hardware, only a compromised meter secret-key 
can produce verifiable counterfeit indicia. Meters can be 
compromised by violating the physical protection of the 
key by tampering, or by deriving the key from indicia da- 
ta by cryptanalysis. Generally, tampering is detectable 
if the physical protection of the secure component of the 
postage metering system is adequate, for example as 
set forth in FIPS 140-1, Security Requirements for Cryp- 
tographic Modules, National Institute for Standards and 
Technology, Jan. 1 994, and protection against physical 
tampering forms no part of the subject invention. 
[0014] In general various cryptographic operations for 
generating digital tokens to authenticate postal indicia 
and to verify such indicia are well known and details of 
various systems need not be discussed further here for 
an understanding of the subject invention except to note 
that robustness of all such operations against cryptan- 
alysis depends on the difficulty of solving certain math- 
ematical problems, for example, discrete logarithm 
problems or factoring a large composite number, (see: 
The USPS published draft specifications: The INFOR- 
MATION BASED INDICIA PROGRAM (IBIP) INDICIUM 
SPECIFICATION, dated June 13, 1996; The INFORMA- 
TION BASED INDICIA PROGRAM POSTAL SECURI- 
TY DEVICE SPECIFICATION, dated June 13, 1996; 
and The INFORMATION BASED INDICIA PROGRAM 
HOST SYSTEM SPECIFICATION, dated October 9, 
1 996, which together define the U.S. PS. 's proposed re- 
quirements for a postage payment system based upon 
cryptographicafly secured indicia.) 
[0015] As part of its proposed Information-Based In- 
dicia Program (IBIP), the USPS has proposed 1024 bit 
RSA, 1024 bit DSS or 160 bit ECDSA as a measure of 
robustness. 

[0016] Presently, there are two postage metering 
types: closed systems and open systems. In a closed 
system, the system functionality is solely dedicated to 
metering activity. An open system metering device is a 
postage evidencing device with a non-dedicated printer 
that is not securely coupled to a secure accounting mod- 
ule. Open system indicia printed by the non-dedicated 
printer are made secure by including addressee infor- 
mation in the encrypted evidence of postage printed on 
the mailpiece for subsequent verification. Examples of 
open system metering devices include personal compu- 
ter (PC) based devices with single/multi-tasking operat- 
ing systems, multi-user applications and digital printers. 
[0017] Conventional closed system mechanical and 
electronic postage meters have heretofore secured the 
link between printing and accounting. The integrity of the 
physical meter box has been monitored by periodic in- 
spections of the meters. Digital printing postage meters, 
which are closed system postage meters, typically in- 



clude a digital printer coupled to a metering (accounting) 
device, which is referred to herein as a postal security 
device (PSD). Digital printing postage meters have re- 
moved the need for physical inspection by cryptograph- 

5 ically securing the link between the accounting and 
printing mechanisms. In essence, new digital printing 
postage meters create a secure point to point commu- 
nication link between the accounting unit and printhead. 
See, for example, U.S. Patent No. 4,802,218, issued to 

10 Christopher B. Wright et al and now assigned to the as- 
signee of the present invention. 
[0018] An example of a digital printing postage meter 
with secure printhead communication is the Personal 
Post Office™ manufactured by Pitney Bowes Inc. of 

15 Stamford, Connecticut, USA. An example of a digital 
printing postage meter in a secure housing is the Post- 
Perfect" also manufactured by Pitney Bowes Inc. Either 
type of digitally printing system can use cryptographi- 
cally secured digital tokens (though closed systems may 

20 not). 

[0019] As noted above the security of cryptographi- 
cally secured postage metering systems, as well as oth- 
er cryptographic information systems, is based on an 
assumption that the secret information, i.e., the crypto 

25 keys, stored within a secure cryptographic device are 
protected against disclosure to any attacker. With phys- 
ical security in effect, it has been assumed that an at- 
tacker could only obtain crypto keys either by trying all 
the possible crypto keys associated with the algorithm 

30 being used (symmetric algorithms) or by carrying out a 
complex mathematical search (asymmetric algorithms). 
For accepted cryptographic algorithms, this search is 
prohibitive, e.g. obtaining a 1024 bit RSA key requires 
230 years of 300 Mhz PC computing. 

35 [0020] A recently published technique, Differential 
Power Analysis (DPA), undermines this assumption and 
seriously threatens the security of cryptographic devic- 
es. The technique involves observation and analysis of 
fluctuations on the power line of a cryptographic device 

40 (hereinafter sometimes "conducted emissions") to de- 
termine the cryptographic secrets, i.e., the crypto keys, 
used by the device. DPA attack allows one to extract 
secret protected information from a supposedly secure 
cryptographic device by measuring variations in power 

45 consumption over time, and then applying sophisticated 
analysis to this information. As the cryptographic proc- 
essor performs its cryptographic functions, such as en- 
cryption or signing; transistors comprising the processor 
switch on and off, which changes the amount of current 

50 drawn from the source supplying power to the proces- 
sor. Assuming the attacker has some knowledge of the 
functions performed by the cryptographic processor, the 
attacker can correlate the current changes with data be- 
ing processed and the crypto keys being used. Any type 

55 of secure cryptographic device that obtains its operating 
power from an external source is potentially susceptible 
to the attack. Such devices include smart cards, PC 
(PCMCIA) cards and printed circuit boards, including 
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devices that are housed within a protected enclosure. If 
such a cryptographic device is subject to DPA attack, 
then the crypto key can be obtained in a matter of days 
or weeks. Many of the proposed countermeasures to the 
DPA attack involve the introduction of signal noise or 
filters on the power line, random timing and delays dur- 
ing cryptographic processing, and the introduction of ex- 
traneous operations. These countermeasures make the 
attack much more difficult. However, an attacker can 
overcome them by obtaining more samples of power 
line fluctuations and applying more sophisticated ana- 
lytical techniques. 

[0021] While it is important that the security commu- 
nity at large find means either to defeat this attack, or to 
at least greatly lengthen the time and expertise needed 
to successfully carry it out, it is believed particularly im- 
portant for the successful adoption of cryptographically 
secured postage metering systems. In many, if not most 
other cryptographic systems, cryptographic devices and 
their associated keys are in the custody of the "owner" 
who, in principle, has incentive to protect them. Postage 
metering systems however are not used in the custody 
of either party most concerned with system integrity, the 
system vendor or the Post, but by a mailer; who, if dis- 
honest, has every reason to try to defeat the system. To 
further complicate the problem, a desired advantage of 
digital postage metering systems is the reduced need 
for physical inspections; further opening the window of 
opportunity for the dishonest mailer. And the large 
number of systems in use will greatly increase the 
chances that some will fall into the hands of the dishon- 
est; and even a single meter which is compromised can 
be used to generate substantial amounts of fraudulent 
indicia since a successfully counterfeited indicium will 
not be readily detected by the methods used to detect 
simple duplicate indicia. Additionally postage metering 
systems can send thousands of encrypted messages, 
i.e. postal indicia, a day; greatly simplifying the sampling 
task of the DPA attacker. And all these problems must 
be overcome without adding substantially to postage 
costs. 

[0022] Similar considerations also apply to other 
types of value metering systems, which are systems 
which similarly account for and evidence the delivery, 
receipt, or payment for other forms of value (e.g. tax 
stamp meters) by generating indicia or other types of 
messages, which may be secured cryptographically. 
[0023] Thus it is an object of the subject invention to 
provide cryptographic devices, and particularly crypto- 
graphically secured postage metering systems, with 
protection against DPA attack. 

[0024] The above object is achieved and the disad- 
vantages of the prior art are overcome in accordance 
with subject invention which includes a method of pro- 
tecting a cryptographic device performing cryptographic 
operations from DPA attack and a device so protected. 
The cryptographic device is enclosed within a physically 
secure environment. Power is provided to the crypto- 



graphic device from a power source external to the 
physically secure environment and additional circuitry 
connected to the power source and the cryptographic 
device maintains a constant power drain on the power 
5 source as the cryptographic device performs various op- 
erations. 

[0025] According to one aspect of the subject inven- 
tion at least a part of the additional circuitry is located 
within the secure environment. 

[0026] According to another aspect of the subject in- 
vention the additional circuitry includes a current source 
and a voltage regulating circuit, the voltage regulating 
circuit being connected between the power input of the 
cryptographic device and ground. 
[0027] According to another aspect of the subject in- 
vention at least those parts of the additional circuitry car- 
rying separate components of the total current from the 
power source are within the secure environment. 
[0028] According to still another aspect of the subject 
invention the cryptographic operations generate a dig- 
ital token for a postal indicium. 

[0029] According to another aspect of the subject in- 
vention the cryptographic operations generate a secure 
message for a value metering system. 
[0030] Other objects and advantages of the subject 
invention will be apparent to those skilled in the art from 
consideration of the attached drawings and the detailed 
description set forth below. 

Fig. 1 is a block diagram of a traditional crypto- 
graphic device (prior art); 

Fig. 2 is a circuit in accordance with the present in- 
vention for maintaining a constant power drain on a 
power source; 

Fig. 3 is a block diagram of a cryptographic device 
incorporating the circuit of Figure 2 in accordance 
with the subject invention; 

Fig. 4 is a block diagram of a cryptographic device 
incorporating the circuit of Figure 2 in accordance 
with another embodiment of the subject invention; 
and 

Fig. 5 is a graph comparing the current drawn by a 
portion of an RSA signature generation performed 
by the device of Fig. 1 prior to implementation of the 
present invention and subsequent to implementa- 
tion of the present invention. 

[0031] Referring now to Fig. 1, a block diagram of a 
traditional cryptographic device, generally designated 
10, is shown. Cryptographic device 10 includes a con- 
ventional processor 20, coupled to an optional crypto- 
graphic coprocessor 22 for performing cryptographic 
operations, non-volatile memory 24, random access 
memory 26 and read-only memory 28. Cryptographic 
device 10 is enclosed within a secure housing 34. The 
secure housing 34 may be any conventional means for 
preventing access to cryptographic device 10. For ex- 
ample, secure housing 24 may be an integrated circuit 
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chip encased in an epoxy or ceramic housing that pre- 
vents access to the integrated circuit without destruction 
of the integrated circuit. Power to cryptographic device 
10 is input at power line 30. Input/output communica- 
tions occur at I/O line 32. It will be understood that cryp- 
tographic device 10 may be implemented as any 
number of discrete components or as a single integrated 
circuit, such as a smart card. 

[0032] In a preferred embodiment; device 10 can 
comprise a postage metering system where processor 
20 is controlled by program code stored in read-only 
memory 28, to carry out the functions of a postage me- 
tering system such as accounting for postage in non- 
volatile memory 24 and controlling a printer (not shown) 
to print a postal indicium including a digital token formed 
by encryption of postal information by co-processor 22. 
Details of the construction, programming and operation 
of such postage metering systems are known and need 
not be discussed further here for an understanding of 
the subject invention except to note that, as discussed 
above, the protection of the crypto-keys used from side- 
channel attacks such as DPA is both critical to the se- 
curity of such postage metering systems and difficult to 
achieve within the constraints of such systems. 
[0033] In other embodiments of the subject invention 
device 10 can comprise other types of value metering 
systems. 

[0034] Referring now to Fig. 2, a power regulating cir- 
cuit, generally designated 50, is shown that can be used 
with cryptographic device 10 in accordance with the 
present invention. Circuit 50, which is connected be- 
tween a power source and a device as shown in Figure 
2 maintains a constant current flow and power drain 
from the power source. Circuit 50 includes a current 
source 52 and voltage regulating circuit 54. In the em- 
bodiment shown in Figure 2, current source 52 is shown 
as single transistor Q1 and resistor R, and voltage reg- 
ulator 54 is shown as zenner diode D for simplicity of 
illustration. Those skilled in the art will recognize, how- 
ever, that more sophisticated and complex circuits are 
easily designed and may be appropriate to provide high- 
er levels of protection. 

[0035] Current source 52 is connected to line 30 
through line 36 and provides constant current \j, and 
thus constant power to the device and regulator 54 
through line 44. Regulator 54 ensures that the device 
sees a constant voltage. At node 56 current i T divides 
into components i P which drives the device and i 2 which 
flows through regulator 54. In general, as the device per- 
forms various operations the current i P will vary while 
regulator 54 holds the input voltage constant and varies 
i z so that i P + i z = i T , thus holding the power drain from 
source constant. 

[0036] Figure 3 shows an embodiment of the subject 
invention where circuit 50 is incorporated into the cryp- 
tographic device of Figure 1 . In Figure 3 circuit 50 is con- 
nected between coprocessor 22 and an external power 
source (not shown) through line 30. Thus power fluctu- 



ations resulting from cryptographic operations are al- 
most entirely decoupled from line 30 and are substan- 
tially not observable outside housing 34, and DPA at- 
tacks are made much more difficult. 

5 [0037] Figure 4 show another embodiment wherein 
circuit 50 provides power to the whole of device 1 0. This 
embodiment is used where coprocessor is either not in- 
cluded in device 10 or where processor 20 performs 
some part of the critical operations. 

w [0038] Particular values for components of circuit 50 
in particular applications will vary for particular applica- 
tions. Selection of these values for particular applica- 
tions is well within the abilities of a person skilled in the 
art. 

is [0039] It is apparent from inspection of Figure 2 that 
at least those parts of circuit 50 downstream from node 
56 (i.e. those parts of circuit 56 which carry the compo- 
nents of i T separately) must be within housing 34. If an 
attacker can penetrate housing 34 DPA can be conduct- 

20 ed on line 44. 

[0040] Referring now to Fig. 5, a graph 60 is repre- 
sentative of the current drawn, as measured at line 30, 
by a portion of an RSA signature generation performed 
by cryptographic device substantially similar to device 

25 1 o without implementation of the subject invention. The 
difference between squaring and multiply operations 
can be clearly seen. Multiply operations require more 
power and therefore are represented by the higher 
peaks than squaring operations. The RSA key used can 

30 be easily derived from the graph 60 using the DPA at- 
tack; which need not be discussed further here for an 
understanding of the subject invention. Graph 62 shows 
the effectiveness of the subject invention. The same 
portion of the RSA signature generation as shown in 

35 graph 60 is shown in graph 62 after the addition of power 
storage circuit 50, in the form of an external circuit, to 
the cryptographic device. It is noted that the peaks rep- 
resentative of the square and multiply operations previ- 
ously observable in graph 60 are no longer observable 

40 in graph 60. 

[0041 ] While the subject invention has been disclosed 
and described with reference to embodiments thereof, 
it will be apparent, as noted above, that variations and 
modifications may be made therein. It is, thus, intended 

45 in the following claims to cover each variation and mod- 
ification that falls within the true spirit and scope of the 
present invention. 

so Claims 

1 . A method of protecting a cryptographic device per- 
forming cryptographic operations from DPA attack, 
the method comprising the steps of: 

55 

a) enclosing the cryptographic device within a 
physically secure environment; 

b) providing power to the cryptographic device 
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from a power source, the first power source be- 
ing external to the physically secure environ- 
ment; and 

c) providing additional circuitry connected to 
the power source and the cryptographic device 5 
to maintain a constant power drain on the pow- 
er source as the cryptographic device performs 
various operations. 



power source and the cryptographic device to 
maintain a constant power drain on the power 
source as the cryptographic device performs 
various operations. 

1 1 . Apparatus as described in claim 1 0 wherein the ad- 
ditional circuitry is located within the secure envi- 
ronment. 



2. A method as described in claim 1 further comprising 
the step of locating at least a part of the additional 
circuitry within the secure environment. 

3. A method as described in claim 2 wherein the ad- 
ditional circuitry comprises a current source and a 
voltage regulating circuit, the voltage regulating cir- 
cuit being connected between the power input of the 
cryptographic device and ground. 

4. A method as described in claim 3 wherein at least 
those parts of the additional circuitry carrying sep- 
arate components of the total current from the pow- 
er source are within the secure environment. 

5. A method as described in claim 3 wherein the volt- 
age regulating circuit comprises a zenner diode. 

6. The method of claim 2 wherein the cryptographic 
operations generate a digital token for a postal ind- 
icium. 



10 12. Apparatus as described in claim 11 wherein the ad- 
ditional circuitry comprises a current source and a 
voltage regulating circuit, the voltage regulating cir- 
cuit being connected between the power input of the 
cryptographic device and ground. 

15 

13. Apparatus as described in claim 12 wherein at least 
those parts of the additional circuitry carrying sep- 
arate components of the total current from the pow- 
er source are within the secure environment. 

20 

14. Apparatus as described in claim 12 wherein the 
voltage regulating circuit comprises a zenner diode. 

15. Apparatus as described in claim 10 wherein the 
25 cryptographic operations generate a digital token 

for a postal indicium. 

16. Apparatus as described in claim 10 wherein the 
cryptographic operations generate a secure mes- 

30 sage for a value metering system. 



7. A method of protecting a cryptographic device per- 
forming cryptographic operations from DPA attack, 
the method comprising the step of regulating the 
voltage at the power input of the cryptographic de- 35 
vice to maintain a constant value, whereby the pow- 
er drawn from a power supply for the cryptographic 
device is held constant. 

8. The method of claim 1 or claim 7 wherein the cryp- *o 
tographic operations generate a digital token for a 
postal indicium. 



9. The method of claim 1 or claim 7 wherein the cryp- 
tographic operations generate a secure message *5 
for a value metering system. 



10. Apparatus for performing cryptographic operations 
comprising: 

50 

a) a cryptographic device for performing the 
cryptographic operations; 

b) a physically secure environment enclosing 
the cryptographic device; 

c) a power source external to the physically se- ss 
cure environment for providing power to the 
cryptographic device; and 

d) additional circuitry connected to the first 
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